Assessment reports>Blackwing>Discussion>Centralization

Centralization risk on the OWNER role

The deployer is responsible for receiving assets from the vault, supplying them to the Aave pool and transferring the aToken back to the vault. However, the owner role can modify the pool's deployer address at will.

function updateDeployer(IERC20 asset, IDeployer deployer) public {
  require(hasRole(OWNER_ROLE, msg.sender), UNAUTHORIZED_ERR);
  pools[asset].deployer = deployer;
}

function deployAssets(IERC20 asset, uint amount) public {
  require(hasRole(OWNER_ROLE, msg.sender), UNAUTHORIZED_ERR);
  requireAssetRegistered(asset);

  PoolInfo memory pool = pools[asset];
  require(asset.transfer(address(pool.deployer), amount), ASSET_DEPLOYMENT_ERR);
  pool.deployer.deploy(asset, amount);
}

The deployer in deployAssets() can be changed by the vault's owner, potentially allowing the owner to direct all vault balances to a deployer address that they control.

Blackwing has acknowledged this but maintains it for upgrading deploy code. Additionally, Blackwing plans to use a multi-sig wallet to ensure their OWNER's security.

Zellic © 2025Back to top ↑